Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

HSBC Data Breach Hits Online Banking Customers

International banking giant HSBC has reported that it was breached in October, as a result of a credential-stuffing attack.

In a notice [PDF] filed with the state of California, the bank said that it became aware of some online accounts being accessed by unauthorized users between October 4 and 14. The hack affected a segment of the bank’s U.S. customers — less than 1 percent of its U.S. client base, it told the BBC, though exact numbers have not been released. The incident exposed names, addresses and dates of birth, along with banking-specific information like account numbers and balances, statement and transaction histories, and payee account numbers.

“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously,” the bank said in a statement. “We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identify theft protection service.”

Further details on the breach – including whether funds were stolen from victimized accounts – have not yet come to light.

“From the organization’s point of view: credential stuffing seems like a suspicious explanation for a bank-account breach,” said Bryan Becker, application security researcher at WhiteHat Security, via email. “Generally speaking, banks require some sort of two-factor authentication, and that should stop any credential stuffing attack in its tracks. This begs the question of either: Why wasn’t HSBC using two-factor authentication, or, if they were, what was the real cause of the breach?”

However, Shape Security’s 2018 Credential Spill Report shows that the U.S. consumer banking industry loses up to $1.7 billion annually as a result of credential-stuffing; and that these attacks account for up to 58 percent of a consumer bank’s login traffic. In terms of granular stats, the report estimates that there are an average of 232.2 million malicious login attempts per day with a 0.05 percent success rate for the consumer banking industry, equating to 116,106 successful account takeover attacks every day, with an average of $400 stolen from an individual account.

“While HSBC did not report that passwords were included in the breached information, it is important to understand that credential stuffing attacks originate with the password for the account in question, so it should be assumed that those passwords have already been breached — just not by HSBC,” said Jarrod Overson, director of engineering at Shape Security, in an emailed media statement. “This is typical for account takeovers due to credential stuffing and, with over 7 billion credential records spilled since 2015, it’s reasonable to assume this could happen to just about anybody.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.